News
2023-11-13 update - CheBanca! changes name!
Hi everybody, on 2024 Jan 15th CheBanca! will change its name to Mediobanca Premier. After that date, new domains will be available:
- developer.mediobancapremier.com will host the new developer portal (there will be an automatic redirect from the old one)
- sandbox-api.mediobancapremier.io will host the sandbox
- external-api.mediobancapremier.io will expose the APIs to call
On your side, you must change the domain you are calling and you must import the new CA certificate chain in your applications; no modifications needed regarding the PSD2 QWAC and QSEAL certificates.
The old API domains sandbox-api.chebanca.io and external-api.chebanca.io will still remain active and working until 2024 Mar 31st; so you'll have some time to implement the changes to switch the endpoints on your side.
CheBanca Development Team
2023-07-11 update - Changes to SCA application accessing account list
Hi everybody, recently we introduced some modifications to our interfaces and processes to conform to the Commission Delegated Regulation 2022/2360 on the official journal.
After the first feedbacks, in order to simplify further the AIS/PIS journey, we decided to remove the mandatory SCA to access the customer account list. Obviously the first authentication factor still remains required to call every CheBanca! API.
This modification should not affect your systems, either if you have already adapted to our new version of the interfaces or not; in summary, now the /private/customers/{customerId}/accounts API will return the expected response directly without the initial PSD2_SCA_REQUIRED error, so the request for SCA will never trigger.
Hope this adjustment will help you realize a smoother AIS/PIS journey
CheBanca Development Team
2023-04-26 update - Changes to SCA application accessing account information
Hi everybody,
On 5th December 2022, the European Union published the Commission Delegated Regulation 2022/2360 on the official journal. The regulation introduces a new article 10bis (Access to the payment account information through an account information service provider) and amends articles 10 (Access to the payment account information directly with the account servicing payment service provider) and 30 (General obligations for access interfaces) of the Delegated Regulation (EU) 2018/389.
Briefly, we identify the following changes to our PSD2 process:
- We should not require Strong Customer Authentication (SCA) to our customers, if they access to some account information, like balance and payment transactions executed in the last 90 days, through AISP TPP, excepting in case that:
- Customer is accessing this account information for the first time through that AISP TPP
- 180 days elapsed since customer has authorized last SCA through that AISP TPP accessing this account information
- The access to payment transactions older than 90 days always requires a valid SCA to be executed
The effects of above points are:
- One-step login: customer redirecting to our login page through a TPP will use his/her first level credentials to log in. After that the TPP will receive the authorization code to obtain access token.
Accounts API now requires a SCA: the /private/customers/{customerId}/accounts API now requires a specific authorization with SCA (see here), since the response contains sensitive data; this will represent the first mandatory Strong Customer Authentication that is required to the customer.- SCA expiration error: The following inquiry APIs will fail with HTTP status code 403 and error code "PSD2_SCA_REQUIRED" if the following conditions are met:
- 180 days elapsed since the last customer SCA has been performed to access balance and payment transactions executed in the last 90 days and the API called is /private/customers/{customerId}/products/{productId}/balance/retrieve
- 180 days elapsed since the last customer SCA has been performed to access balance and payment transactions executed in the last 90 days and the required transactions returned by the following APIs are more recent than 90 days:
- /private/customers/{customerId}/products/{productId}/creditCardTransactions/retrieve
- /private/customers/{customerId}/products/{productId}/transactions/retrieve
- /private/customers/{customerId}/products/{productId}/moneyTransfer/history/retrieve
- every time transactions older than 90 days are requested to these APIs:
- /private/customers/{customerId}/products/{productId}/creditCardTransactions/retrieve
- /private/customers/{customerId}/products/{productId}/transactions/retrieve
- /private/customers/{customerId}/products/{productId}/moneyTransfer/history/retrieve
every time the API /private/customers/{customerId}/accounts is called
- Implementation of SCA process also to authorize inquiry APIs: In case a "PSD2_SCA_REQUIRED" error appears, a TPP should start a SCA process with the existing /private/auth/security/sca/{resourceId}/approach API. The resourceId to use will be returned as a field in the response by the API which failed with such error. At the end of the process, the TPP should retry the API which failed with the error.
- Reduction of access and refresh token lifetime: in order to avoid very long time windows in which TPPs have access to customer's account information without submitting credentials, we decide to reduce maximum refresh token lifetime to 604800 seconds (7 days) and access token lifetime to 28800 seconds (8 hours). Keep in mind that, with this change, an OAuth2.0 Authorization Code flow will not involve SCA to obtain tokens. If your current token lifetimes exceed the new limits, your token lifetimes will be set to those limits.
You can find the documentation about how these updates will impact your applications on this page.
On 29th June 2023, we are going to change our login behavior for customers accessing through TPPs. For that date, you should be able to "refresh" customer SCA when inquiry APIs will return 403 - "PSD2_SCA_REQUIRED".
CheBanca Development Team
2021-12-13 update - Update token format
Hi everybody,
On March 16th, 2022 we are going to change the format of access tokens, refresh tokens and authorization codes. New tokens increase size, lose their current UUID format and have a different character set, improving security for your and our customers.
If you have any kind of format constraint on our access token, refresh token or authorization code, please make changes in order to avoid them.
Here is an example, showing a comparison between current and new tokens:
- current token:
d426470d-7944-47b4-843e-9831c5046d63
- new token:
gTomX-_qHf1-cqAtBfBIZtNqfNXY_pxXv4cCAp_EKsOYOqhPAIzqWorqq3zEh8Q-rw2W1-7F7DQQSoNk9bUoNg
Please notice that token above has 87 characters, but the length could be different. If you really need to define a maximum length (for example, setting a database column size), we suggest setting 256 bytes.
The same modification will be available on December 22nd, 2021 in sandbox environment.
CheBanca Development Team
2020-10-14 update - CheBanca! general system unavailability on October 25th, 2020
Hi everybody,
due to extraordinary maintenance, our systems will be unavailable on October 25th, 2020 for the entire day.
Please note that both our APIs and our developer portal will be down.
CheBanca Development Team
2020-07-30 update - new external-api.chebanca.io certificate available
Hi everybody,
our external-api.chebanca.io server certificate will expire soon (on September 5th, 2020).
You can download it here in preview.
The new external-api.chebanca.io certificate will have the same certificate chain; so if you imported into your application only the intermediate and the root CA, you'll have to do nothing; otherwise, you will need to replace the certificate in your truststore.
We will install it in production environment on August 24th, 2020; please be sure to check the certificates you have imported in your application truststore before that day (if needed).
CheBanca Development Team
2020-04-09 update - new *.chebanca.io certificate available
Hi everybody,
our new server certificate is finally available.
You can download it here in preview.
We will install it in production environment on April 27th, 2020; please be sure to check the certificates you have imported in your application truststore before that day.
CheBanca Development Team
2020-04-06 update - *.chebanca.io certificate change
Hi everybody,
as you know, our *.chebanca.io server certificate will expire soon (on April 30th, 2020).
We are working to replace it, but it will take some days; when we have the new certificate we will upload it in this page, in another update post.
Now, this change may have also impacts on your applications: the CA server chain usually is imported into the client application certificate store, and so you will need to replace the certificate too.
The new *.chebanca.io certificate will have the same certificate chain; so if you imported into your application only the intermediate and the root CA, you'll have to do nothing.
Otherwise, if you also imported our *.chebanca.io certificate into your truststore, you'll have to import the new version before the current certificate expiry date.
Stay tuned for more updates
CheBanca Development Team